Node-jsonwebtoken: Unnecessary installed files with NPM : Need NPM whitelisting

Created on 25 Aug 2016  路  4Comments  路  Source: auth0/node-jsonwebtoken

Nice package, very useful :bowtie:

But unnecessary files are installed during npm install :

  • bin/changelog
  • test/...
  • .jshintrc
  • .travis.yml

I see that you have an .npmignore file with this inside :

node_modules
.DS_Store

That's pretty useless as those files are ignored by default by NPM

I suggest whitelisting instead of blacklisting files to be installed by adding files to the package.json :

{
  "files": [
    "lib/",
    "decode.js",
    "index.js",
    "sign.js",
    "verify.js"
  ]
}

Please read documentation : https://docs.npmjs.com/files/package.json#files

Also remove .npmignore file

Some of us are using microservices (AWS Lambda, Azure Function, etc.) and we can benefit having small packages with only production files. Thanks. I maybe PR with that.

PS: And rename bin/changelog to scripts/changelog.js as bin is usually used to distribute bin files

Most helpful comment

@jfromaniello You can also look at your friend auth0/lock with its .npmignore file

And you can also read http://stackoverflow.com/questions/8617753/exclude-test-code-in-npm-package

All 4 comments

But unnecessary files are installed during npm install :

I accept your opinion but I am against this kind of optimization in the repositories that I maintain.

The short answer is that I happen to use the things I maintain and this kind of optimization doesn't worth and it makes developers life harder.

Long answer:

These files sum a total of 120k and gzipped is 11k. This is nothing in term of band witch and storage nowadays.

Removing this mean that I can't check the "tests" or the CHANGELOG locally. Instead I have to:

  • go to my package.json to check what version of the library I am using
  • then go to the repository (or github) and select the version I want to get info

which is very inconvenient when you are developing in node.js.

@jfromaniello This is not an optimisation, this is first of all about semantics :

source code !== distribution

Please have a look at some packages like :

I didn't add CHANGELOG.md in file by purpose as npm adds it by default:

Certain files are always included, regardless of settings:

package.json
README (and its variants)
CHANGELOG (and its variants)
LICENSE / LICENCE

Tests are for contributors (people that are cloning your repo).

The short answer is that I happen to use the things I maintain

All those files will still be in your repo and in your tags/releases..

this kind of optimization doesn't worth and it makes developers life harder.

Think about microservices (AWS Lambda, Azure Functions, etc..). I had to add a "cleanup" script on my CI environment not to deploy tests and extra useless files.. :-/

NPM is a package manager not a SCM

@jfromaniello You can also look at your friend auth0/lock with its .npmignore file

And you can also read http://stackoverflow.com/questions/8617753/exclude-test-code-in-npm-package

Was this page helpful?
0 / 5 - 0 ratings

Related issues

salali picture salali  路  5Comments

AndreOneti picture AndreOneti  路  3Comments

cope picture cope  路  4Comments

prevostc picture prevostc  路  4Comments

glowlabs picture glowlabs  路  3Comments